Agility 2017 Hands-on Lab Guide

DNS Services
F5 Networks, Inc.
2
 Contents:

1 Lab Environment 5

2 Class 2 - Advanced GSLB 11

2.1 Transparent Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.1.1 Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.1.2 Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.1.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2 Listeners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2.1 Log Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.2.2 DNS Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.2.3 UDP Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.2.4 TCP Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.2.5 UDP Listener . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.2.6 TCP Listeners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.2.7 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.3 Hidden Master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
2.3.1 Name Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
2.3.2 DNS Express . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
2.3.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
2.4 DNSSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2.4.1 Zone Signing Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
2.4.2 Key Signing Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2.4.3 Signed Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
2.4.4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
2.5 Validating Resolver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
2.5.1 Trust Anchors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
2.5.2 Modify DNS Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
2.5.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
2.6 RPZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
2.6.1 Zone Runner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
2.6.2 Name Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
2.6.3 DNS Express . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
2.6.4 Local Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
2.6.5 Walled Garden . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.6.6 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

3
 2.7 URL Categorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
2.7.1 Create an iRule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
2.7.2 iRule assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
2.7.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

3 Credits 95

4
 1
Lab Environment

5
6
7
8
9
10
 Class 2 - Advanced GSLB
2
The lab environment consists of a Lan of workstations in a remote location with internal DNS servers behind
an F5 firewall.
The F5 device is directly connected to the internet.

Students will work with the following concepts as part of a group of lab exercises.
1. Transparent Cache

11
 2. Hidden Master
3. DNSSec
4. Validating Resolver
5. RPZ
6. URL Categorization

2.1 Transparent Cache

2.1.1 Monitors

A DNS application specific health monitor provides intelligence in the steering DNS queries towards the
fastest responding DNS server.

Navigate to: Delivery : Load Balancing : Monitors

12
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/monitor/list.jsp
Create a monitor according to the following table:

Setting Value
Name example.com_dns_monitor
Type DNS
Query Name www.example.com

13
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/monitor/create.jsp

TMSH
tmsh create ltm monitor dns example.com_dns_monitor defaults-from dns qname www.example.com

2.1.2 Load Balancing

Augment and scale an existing DNS infrastructure by Load Balancing DNS queries across a pool of DNS
servers.
Navigate to: Delivery : Load Balancing : Pools : Pool List

14
Create a pool according to the following table:

Setting Value
Name branch01_dns_pool
Health Monitors example.com_dns_monitor
dc01.branch01.example.com_node
1. Node Name

10.1.70.200
1. Address

53
1. Service Port

dc02.branch01.example.com_node
2. Node Name

10.1.70.210
2. Address

53
2. Service Port

15
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/pool/create.jsp

TMSH
tmsh create ltm pool branch01_dns_pool members add { dc01.branch01.example.com_node:53 { ad-
dress 10.1.70.200 } dc02.branch01.example.com_node:53 { address 10.1.70.210 } } monitor exam-

16
ple.com_dns_monitor

2.1.3 Results

1. Navigate to: DNS ›› Delivery : Load Balancing : Pools : Pool List

Click to select the branch01_dns_pool, and then click “Members”

https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/pool/list.jsp
2. Click to select “branch01_dns_pool”, and then select “Members”

17
 https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/pool/resources.jsp?name=
/Common/branch01_dns_pool
3. Notice the health status of the existing DNS infrastructure.

18
TMSH
tmsh show ltm pool branch01_dns_pool detail

19
In this module we will prepare the objects required to build a transparent cache.
In the next exercise a DNS profile will reference the cache and a Listener will forward traffic to a healthy
backend DNS server

20
Enabling a transparent cache on the BIG-IP will offload some DNS queries from being sent to the internal
DNS servers.

21
Log into the gateway device router01.brancho1 in the branch office
Navigate to DNS ›› Caches : Cache List
Create a transparent cache

Setting Value
Name transparent_cache
Resolver Type Transparent

22
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/create.jsp
TMSH command for router01.branch01:

TMSH
tmsh create ltm dns cache transparent transparent_cache

2.2 Listeners

A listener object is an specialized virtual server that is configured to respond to DNS queries.
We will be creating both TCP and UDP based listeners that have the same IP address of the existing DNS
server.
Note: the Workstation is configured to use 10.1.70.200 and 10.1.70.210 for DNS.
After this module students will have enabled the BIG-IP to intercept and cache DNS requests.

23
2.2.1 Log Profile

Configure DNS query and response logging.

1. Create a “Log Publisher” for local syslog.
Navigate to: System ›› Logs : Configuration : Log Publishers

24
Create a local syslog publisher as shown in the table below:

Setting Value
Name local-syslog-publisher
Destinations local-syslog

25
 https://router01.branch01.example.com/tmui/Control/jspmap/tmui/system/log/create_publisher.jsp

TMSH
tmsh create sys log-config publisher local-syslog-publisher { destinations add { local-syslog { } } }

2. Create a “Logging Profile”

Navigate to DNS ›› Delivery : Profiles : Other : DNS Logging

26
Create a DNS logging profile as shown in the table below:

Setting Value
Name example_dns_logging_profile
Log Publisher local-syslog-publisher
Log Responses enabled
Include Query ID enabled

27
 https://router01.branch01.example.com/tmui/Control/jspmap/tmui/locallb/profile/dns_log/create.jsp

TMSH
tmsh create ltm profile dns-logging example_dns_logging_profile enable-response-logging yes
include-query-id yes log-publisher local-syslog-publisher

2.2.2 DNS Profile

A DNS profile will control which features are enabled as part of processing a query.
Navigate to: DNS ›› Delivery : Profiles : DNS

28
Create a DNS profile as shown in the table below.

Setting Value
Name example.com_dns_profile
DNS Cache Enabled
DNS Cache Name transparent_cache
Use BIND Server on Big-IP Disabled
Logging Enabled
Logging Profile example_dns_logging_profile
AVR statistics Sample Rate Enabled, 1/1 queries sampled

29
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/locallb/profile/dns/create.jsp

30
TMSH
tmsh create ltm profile dns example.com_dns_profile { avr-dnsstat-sample-rate 1 cache transparent_cache
defaults-from dns enable-cache yes enable-logging yes log-profile example_dns_logging_profile use-local-
bind no }

2.2.3 UDP Profile

A UDP profile controls the way the platform processes UDP traffic.
Navigate to: DNS ›› Delivery : Profiles : Protocol : UDP

https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/profile/udp/list.jsp
Create a UDP profile as shown in the following table.

Setting Value
Name example.com_udp-dns_profile
Parent Profile udp_gtm_dns

31
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/profile/udp/create.jsp

TMSH
tmsh create ltm profile udp example.com_udp-dns_profile defaults-from udp_gtm_dns

2.2.4 TCP Profile

A TCP profile controls the way the platform processes TCP traffic.
Navigate to: DNS ›› Delivery : Profiles : Protocol : TCP

32
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/profile/tcp/list.jsp
Create a TCP profile as shown in the following table.

Setting Value
Name example.com_tcp-dns_profile
Parent Profile f5-tcp-lan

33
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/profile/tcp/create.jsp

TMSH
tmsh create ltm profile tcp example.com_tcp-dns_profile defaults-from f5-tcp-lan

2.2.5 UDP Listener

A UDP listener is an IP address that will receive DNS queries.

Navigate to: DNS ›› Delivery : Listeners : Listener List

34
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/listener/list.jsp
Create two UDP listeners according to the tables below:

Setting Value
Name DC01_udp_53_virtual
Destination Address 10.1.70.200
Service Port DNS 53
VLAN and Tunnel Traffic -> Enabled on.. branch01_vlan
Protocol UDP
Protocol Profile (Client) example.com_udp-dns_profile
DNS Profile example.com_dns_profile
Default Pool branch01_dns_pool

Setting Value
Name DC02_udp_53_virtual
Destination Address 10.1.70.210
Service Port DNS 53
VLAN and Tunnel Traffic -> Enabled on.. branch01_vlan
Protocol UDP
Protocol Profile (Client) example.com_udp-dns_profile
DNS Profile example.com_dns_profile
Default Pool branch01_dns_pool

35
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/locallb/virtual_server/create.jsp

TMSH

36
tmsh create gtm listener DC01_udp_virtual address 10.1.70.200 port 53 ip-protocol udp pool
branch01_dns_pool profiles add { example.com_dns_profile example.com_udp-dns_profile } vlans add {
branch01_vlan } vlans-enabled

TMSH
tmsh create gtm listener DC02_udp_virtual address 10.1.70.210 port 53 ip-protocol udp pool
branch01_dns_pool profiles add { example.com_dns_profile example.com_udp-dns_profile } vlans add {
branch01_vlan } vlans-enabled

2.2.6 TCP Listeners

A TCP listener is an IP address that will receive DNS queries.

Navigate to: DNS ›› Delivery : Listeners : Listener List

https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/listener/list.jsp
Create two TCP listeners according to the table below:

37
 Setting Value
Name DC01_tcp_53_virtual
Destination 10.1.70.200
Service Port DNS 53
VLAN and Tunnel Traffic -> Enabled on.. branch01_vlan
Protocol TCP
Protocol Profile (Client) example.com_tcp-dns_profile
DNS Profile example.com_dns_profile
Pool branch01_dns_pool

Setting Value
Name DC02_tcp_53_virtual
Destination 10.1.70.210
Service Port DNS 53
VLAN and Tunnel Traffic -> Enabled on.. branch01_vlan
Protocol TCP
Protocol Profile (Client) example.com_tcp-dns_profile
DNS Profile example.com_dns_profile
Pool branch01_dns_pool

38
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/listener/create.jsp

TMSH

39
tmsh create gtm listener DC01_tcp_virtual address 10.1.70.200 port 53 ip-protocol tcp pool
branch01_dns_pool profiles add { example.com_dns_profile example.com_tcp-dns_profile } vlans add {
branch01_vlan } vlans-enabled

TMSH
tmsh create gtm listener DC02_tcp_virtual address 10.1.70.210 port 53 ip-protocol tcp pool
branch01_dns_pool profiles add { example.com_dns_profile example.com_tcp-dns_profile } vlans add {
branch01_vlan } vlans-enabled

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-dns-cache-implementations-11-3-0/
2.html

2.2.7 Results

1. From the jumpbox open a command prompt, perform several recursive queries to your new listener to
test.
Repeat some of the same queries multiple times

dig www.f5.com
dig www.wikipedia.org
dig www.ncsu.edu
dig www.example.com

2. Viewing Cache Entries

Navigate to: DNS ›› Caches : Cache List ›› Properties : transparent_cache

40
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/properties.jsp?name=
%2FCommon%2Ftransparent_cache
Navigate to: Statistics ›› Module Statistics : DNS : Caches ›› Caches

41
 Navigate to: Statistics ›› Module Statistics : DNS : Caches ›› Caches : transparent_cache

https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/stats_detail.jsp?name=
/Common/transparent_cache

TMSH
tmsh show ltm dns cache records rrset cache transparent_cache

TMSH
show ltm dns cache transparent transparent_cache

3. Clearing Entire Cache

42
 Navigate to Statistics > Module Statistics > DNS > Caches
Set “Statistics Type” to “Caches”.
Select the cache and click “Clear Cache” to empty the cache.

2.3 Hidden Master

The internal DNS servers are authoritative for example.com so we need to slave the zone to the BIG-IP.
After this module is complete the BIG-IP will become an authoritative slave.

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/dns-services-implementations-11-6-0/
2.html#unique_1658664851

2.3.1 Name Server

Define the Active Directory server as a nameserver and initiate a zone transfer.
Navigate to DNS ›› Delivery : Nameservers : Nameserver List

43
Create a nameserver according to the following table:

Setting Value
Name dc01.example.com
Address 10.1.70.200

44
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/nameserver/create.jsp

TMSH
tmsh create ltm dns nameserver dc01.example.com { address 10.1.70.200 }

2.3.2 DNS Express

The zone example.com is served from the high performance authoritative resolver.
Navigate to DNS ›› Zones : Zones : Zone List

45
Create a DNS Express zone according to the following table:

Setting Value
Name example.com
Server dc01.example.com
Allow NOTIFY From 10.1.70.200

46
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/zone/create.jsp

TMSH
tmsh create ltm dns zone example.com { dns-express-allow-notify add { 10.1.70.200 } dns-express-notify-
tsig-verify no dns-express-server dc01.example.com }

https://support.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-services-implementations-12-1-0/
1.html#guid-977cd16a-5d12-4b1e-964c-5d8206f647ed

2.3.3 Results

The BIG-IP will now be an authoratative slave for the example.com zone. This protects the master as well
as increases performance utilizing the BIG-DNS delivery engine.
1. Click on the newly created DNS Express zone and make sure it is showing green for ‘Available’
indicating that the initial AXFR transfer was successful.

47
 2. Using putty from the taskbar, log in to router01.branch01.example.com.
Run the following command to see the contents of the DNS Express database:

dnsxdump | less

Examine the results

2.4 DNSSec

48
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/dns-services-implementations-11-6-0/
2.html#unique_1658664851

2.4.1 Zone Signing Key

Navigate to: DNS ›› Delivery : Keys : DNSSEC Key List

Create zone signing key according the following table:

Setting Value
Name example.com_zsk
Type Zone Signing Key
Key Management Manual
Certificate default.crt
Private Key default.key

49
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/dnssec_key/create.jsp

TMSH
tmsh create ltm dns dnssec key example.com_zsk key-type zsk certificate-file default.crt key-file default.key

2.4.2 Key Signing Key

Navigate to: DNS ›› Delivery : Keys : DNSSEC Key List

50
Create a key signing key according to the following table:

Setting Value
Name example.com_ksk
Type Key Signing Key
Key Management Manual
Certificate default.crt
Private Key default.key

51
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/dnssec_key/create.jsp
TMSH commands for Key Signing key creation:

TMSH
tmsh create ltm dns dnssec key example.com_ksk key-type ksk certificate-file default.crt key-file default.key

2.4.3 Signed Zone

Navigate to: DNS ›› Zones : DNSSEC Zones : DNSSEC Zone List

52
https://router01.branch01.example.com/tmui/Control/form?__handler=/tmui/dns/dnssec_zone/list&__
source=delete_confirm&__linked=false&__fromError=false
Create DNS Express zone signed by DNSSEC

Setting Value
Name example.com
Zone Signing Key example.com_zsk
Key Signing Key example.com_ksk

53
TMSH commands for DNSSEC signed zone creation:

TMSH
tmsh create ltm dns dnssec zone example.com keys add { example.com_ksk example.com_zsk }

2.4.4 Results

From the CLI on the router01.branch01 BIGIP run tail -f /var/log/ltm

From the Workstation CMD prompt run: “dig example.com +dnssec”

54
2.5 Validating Resolver

2.5.1 Trust Anchors

Create a trust anchor to validate content in a DNS response.

Using Putty, ssh into router01.branch01 and run the following command:

TMSH
dig dnskey . | grep 257 > /root/dnskey.txt
dnssec-dsfromkey -f /root/dnskey.txt .

55
Navigate to: DNS ›› Caches : Cache List ›› validating-resolver_cache : Trust Anchors
Select the validating-resolver_cache and click “Trust Anchors”

https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/trust_anchor/list.jsp?name=

56
%2FCommon%2Fvalidating-resolver_cache&tab=dns_cache_validating_config

For each line of output from the preceding command create a “Trust Anchor”

57
1 tmsh modify ltm dns cache validating-resolver validating-resolver_cache trust-anchors
˓→replace-all-with { ". IN DS 19036 8 1 B256BD09DC8DD59F0E0F0D8541B8328DD986DF6E" ".

˓→IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5" ".

˓→ IN DS 20326 8 1 AE1EA5B974D4C858B740BD03E3CED7EBFCBD1724" ". IN DS 20326 8 2

˓→E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D" }

58
2.5.2 Modify DNS Profile

In order to activate the new “Validating Resolver”, modify the DNS profile example.com_dns_profile.
Navigate to: DNS ›› Delivery : Profiles : DNS

Select the profile “example.com_dns_profile”

Modify the DNS profile to activate the new validating-resolver_cache.

59
60
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/profile/dns/properties.jsp?name=
/Common/example.com_dns_profile

TMSH
tmsh modify ltm profile dns example.com_dns_profile cache validating-resolver_cache

2.5.3 Results

From the CLI on the router01.branch01 BIGIP run

tail -f /var/log/ltm
From the Workstation CMD prompt run: “dig ghghghghg.com”

From the Workstation CMD prompt run: “dig google.com”

61
From the Workstation CMD prompt run: “dig dnssec-deployment.org +dnssec”

62
From the Workstation CMD prompt run: “dig dnssec-failed.org +dnssec”

63
http://www.internetsociety.org/deploy360/resources/dnssec-test-sites/
Configure a validating resolver cache on the BIG-IP® system to recursively query public DNS servers,
validate the identity of the DNS server sending the responses, and then cache the responses.
After completing this lab students will entirely offload DNS queries from internal masters.

64
65
Navigate to DNS ›› Caches : Cache List

66
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/list.jsp
Create a validating resolver cache according to the table below:

Setting Value
Name validating-resolver_cache
Resolver Type Validating Resolver
Answer default zones Checked - Enabled

67
68
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/create.jsp

TMSH
tmsh create ltm dns cache validating-resolver validating-resolver_cache answer-default-zones yes

https://support.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-services-implementations-12-1-0/
7.html#guid-d4548549-b4e2-4dae-9ada-3ea00eb84c1f

2.6 RPZ

Response Policy Zone will be turned on to stop clients from trying to resolve blacklisted domains.

https://support.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-services-implementations-12-1-0/
8.html

2.6.1 Zone Runner

Customers will subscribe to their RPZ vendor of choice.

Use Zonerunner to create a custom RPZ zone for our lab.

69
Navigate to DNS ›› Zones : ZoneRunner : Zone List
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/globallb/zfd/zone/create.jsp

Create a zone according to the following table:

Setting Value
View Name external
Zone Name rpz.example.com
Zone Type Master
Zone File Name db.external.rpz.example.com
Options also-notify { ::1 port 5353; };
TTL 300
Master Server router01.branch01.example.com.
Email Contact hostmaster.example.com.
NS Record: TTL 300
NS Record: Nameserver router01.branch01.example.com.
Create A Record Checked - Enabled
A Record: IP Address 10.1.71.1

70
Navigate to: DNS ›› Zones : ZoneRunner : Resource Record List
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/globallb/zfd/record/create.jsp

71
Create a resource record according to the following table:

Setting Value
View Name external
Zone Name rpz.example.com
Name *.guns.com.rpz.example.com.
TTL 300
Type CNAME
CNAME .

72
2.6.2 Name Server

Navigate to DNS ›› Delivery : Nameservers : Nameserver List

73
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/nameserver/list.jsp
Create a nameserver according to the following table:

Setting Value
Name localhost

74
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/nameserver/create.jsp

TMSH
tmsh create ltm dns nameserver localhost { address 127.0.0.1 tsig-key none }

2.6.3 DNS Express

Navigate to DNS ›› Zones : Zones : Zone List

https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/zone/create.jsp

75
Create a DNS Express zone according to the following table:

Setting Value
Name rpz.example.com
Server localhost
Allow NOTIFY From 127.0.0.1
Response Policy checked

76
TMSH
tmsh create ltm dns zone rpz.example.com { dns-express-server localhost response-policy yes dns-
express-allow-notify add { 127.0.0.1 } dns-express-notify-tsig-verify no }

2.6.4 Local Zone

Navigate to: DNS ›› Caches : Cache List

https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/list.jsp

77
Select validating-resolver_cache, click “Local Zones”, and click “Add”
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/local_zone/list.jsp?name=
%2FCommon%2Fvalidating-resolver_cache&tab=dns_cache_config

78
Create a local zone entry according to the following table:

Setting Value
Name sorry.example.com
Type Static
Records sorry.example.com. IN A 10.1.71.21

TMSH commands for router01.branch01:

tmsh modify ltm dns cache validating-resolver validating-resolver_cache local-zones {
˓→{ name sorry.example.com records add { "sorry.example.com. IN A 10.1.71.21" } type

˓→static } }

79
2.6.5 Walled Garden

Navigate to: DNS ›› Caches : Cache List

https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/list.jsp
Click “validating-resolver_cache”

Select validating-resolver_cache, click “Response Policy Zones”, and then click “Add”
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/cache/rpz/list.jsp?name=
%2FCommon%2Fvalidating-resolver_cache&tab=dns_cache_config

80
Create a local zone entry according to the following table:

Setting Value
Zone rpz.example.com
Action Walled Garden
Walled Garden sorry.example.com

TMSH commands for router01.branch01:

TMSH
tmsh modify ltm dns cache resolver validating-resolver_cache response-policy-zones add {
rpz.example.com { action walled-garden walled-garden sorry.example.com } }

81
2.6.6 Results

From a Workstation command prompt run “dig www.guns.com”

Try running additional dig commands to verify that other domains still resolve as expected.
dig www.f5.com

2.7 URL Categorization

Configure DNS queries filtering based on the category of the requested domain. This will be done with
using F5 iRules and built-in categorization database.

82
2.7.1 Create an iRule

Navigate to: DNS ›› Delivery : iRules : iRules List

83
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/rule/list.jsp
Create new iRule, copy the content below and paste it.

Setting Value
Name DNS-query-filtering

when RULE_INIT {
# Set categories to block for DNS hosts
set static::blocked_categories {
/Common/Bot_Networks
/Common/Spyware
/Common/Malicious_Web_Sites
/Common/Adult_Content
/Common/Sex
}

# CONFIGURATION
# Check all requests by default
set static::request_check 1
# If the category returns as blocked, return NXDOMAIN (1)
# Otherwise if (0), return a statically defined IP address
set static::request_return_nxdomain 0
set static::request_redirect_to "10.1.71.21"

84
 # Toggle for debug logs
set static::request_debug 1
}

when DNS_REQUEST {
if { $static::request_check } {
set lookup_category [getfield [CATEGORY::lookup "http://[DNS::question name]"] "
˓→" 1]

if { [lsearch -exact $static::blocked_categories $lookup_category] >= 1 } {

if { $static::request_debug } {
log local0. "BLOCKED: Category $lookup_category matching [DNS::question
˓→name] is filtered."

}
DNS::answer clear
if { $static::request_return_nxdomain } {
DNS::header opcode QUERY
DNS::header rcode NXDOMAIN
} else {
if { [DNS::question type] equals "A" } {
DNS::answer insert "[DNS::question name]. 111 [DNS::question class]
˓→[DNS::question type] $static::request_redirect_to"

}
}
DNS::return
} else {
if { $static::request_debug } {
log local0. "Category $lookup_category matching [DNS::question name] is not
˓→filtered"

}
}
}
}

TMSH commands for router01.branch01 (Make sure you use text editor to copy content above and paste it)

TMSH
tmsh create ltm rule DNS-query-filtering

2.7.2 iRule assignment

Repeat the following steps for all 4 DNS listeners.

Navigate to: DNS ›› Delivery : Listeners : Listener List

85
Navigate to the listener DC01_udp_virtual

Navigate to iRules section

86
Navigate to Manage

https://router01.branch01.example.com/tmui/Control/form?__handler=/tmui/dns/listener/irules&__source=Manage. . . &__link
Highlight DNS-query-filtering iRule and move it to Selected column

87
TMSH commands for router01.branch01

TMSH
tmsh modify gtm listener all rules { DNS-query-filtering }

2.7.3 Results

From the CLI on the router01.branch01 BIGIP run

tail -f /var/log/ltm
From the Workstation command prompt run “dig example.com” and check for the results

88
From the Workstation command prompt run “dig porno.com” and check for the results

89
Navigate to: DNS ›› Delivery : iRules : iRules List

90
https://router01.branch01.example.com/tmui/Control/jspmap/tmui/dns/rule/list.jsp
Click on the DNS-query-filtering iRule and add new filtering category “News_and_Media”

91
From the Workstation command prompt run “dig cnn.com” and check for the results

92
93
94
 3
Credits

• Agility 2017:
Bill Wester
Boris Gekhtman
Brendan Gladney
Brian Buback
Emilio Torres
Dave Doucette
Josh Anderson
Robin Mordasiewicz
• Advisors:
Hitesh Patel
Joe Hermes
Jonathan Dehaan
Pat Chang
Pat Fiorino
Brian Van Lieu

95